24 October 2020

two new 50Bd/850 FSK broadcast channels

It seems that the Turkish friends (or "stars and stripes" friends in Turkey) have activated two new 50Bd/850 FSK broadcast channels on 8788.0 and 8792.0 KHz (cf), or likely 8090.0 KHz in ISB mode. Spotted them on 22th October for the first time. 

Fig. 1

Fig. 2

As expected, since the 50Bd/850 waveform, both the channels are KW-46/KIV-7 secured. The "business card" consists of the pseudo-random sequence generated by the polynomial x^31+x^3+1, those bits replace the stop bits and are used by KW-46 cryptographic equipment to provide synchronization (figure 3).

Fig. 3

Tx site (or Tx sites ?) is in Turkey; unfortunately there are no KiwiSDR in the southern Mediterranean, they would have allowed a more accurate DF.

Fig. 4



21 October 2020

KW-46 secured traffic over 188-110A, MHFCS Townsville

Long 110A Serial transmission heard on 6345.50 KHz/usb and used for KW-46/KIV-7 secured fleet broadcast, task usually performed by S4285/S-4481 in NATO Navy.
The analysis of the frame structure (Figure 1) confirms 110A operations at low datarates: each frame is composed of 40 tribit symbols, or 120 bits, (20 symbols for miniprobe + 20 symbols for data). In low datarate modes, from 150 to 1200 bps, the 480-bit length of the 110A scrambler exactly matches four frames (i.e.: 4 x 120 bits) and so it produces the strong 66.67ms spikes which are visible in the auto-correlation function.

Fig. 1 - MIL 188-110A Serial Tone framing

The most interesting aspect is the use of KW-46/KIV-7 encryption to secure data transfers: its use is revelaed by the presence of the pseudo-random sequence generated by the polynomial x^31+x^3+1 (Figure 2). It's worth noting that, usually, the KW-46 crypto device is used in USN/NATO fleet broadcast with FSK 50Bd/850 or S4285 modems. A similar MHFCS transmission was reported here.

Fig. 2 - x^31+x^3+1 pseudo-random sequence

TDoA runs say Australian MHFCS [1] node at Townsville as the Tx site (Figure 3):

Fig.3 - TDoA results

The Bohle Transmitter Station site [2] is a site of approximately 484 hectares, located 10 kilometres west of Townsville (Figs. 4,5). As said, the station is a communications facility used by Defence and forms part of the Modernised High Frequency Communications System.

Fig. 4 - site of the MHFCS (google earth)
Fig. 5 - https://www.flickr.com/photos/csipete/3055234661/in/photostream/


[1] https://i56578-swl.blogspot

12 October 2020

STANAG-4538 to forward 188-220 App.D (SINCGARS) Tx frames to HF

6898 KHz/USB seems to be a good place to catch transmissions which deal with STANAG-4538 3G-HF and COMSEC. After the 256-bit Initialization Vectors encryption, it happened to hear some STANAG-4538 transmissions that used the LDL protocol: nothing particularly interesting except for the transported datagrams that are certainly attributable to SINCGARS traffic which is usually exchanged, however, between 30 and 88 MHz! Indeed, after the analysis of the LDL bitstreams, it turned out that MIL 188-220 App. D "COMMUNICATIONS SECURITY STANDARDS" (shortly idicated as 188-220/D) exactly describes the structure of the transmitted datagrams.
In short, SINCGARS (Single Channel Ground and Airborne Radio System) [1] is a VHF Combat Net Radio (CNR) [2] WF providing secure voice and data communications; MIL 188-220 [3] is a military standard that governs the use of Combat Net Radios and covers layers 1 through 3 (physical, data link, and network) of the OSI stack.

Fig.1 - STANAG-4538 LDL session

LDL protocol analysys
Each LDLn transfer consists of a TX Frame consisting of one data packet. A data packet is defined as a fixed-length sequence of n-byte data (n = 32,64,96,...,512) followed by a 17-bit Sequence Number plus an 8-bit Control Field (presently unused), both added by the LDL protocol. Each TX Frame is sent using burst waveform BW3. During the construction of BW3, a 32-bit CRC is computed across the data bits of each data packet and is then appended to it. Then, 7 flush bits having the value 0 are added to ensure that the encoder is in the all-zero state upon encoding the last flush bit. Sumarizing, the on-air LDLn bits are equal to 8n + (17+8+32+7)  or  8n + 64 (n  =  32,64,96,...,512).

That said, we can go back to the original datagram by inspecting the last 64 bits (17-bit Sequence Number + 8-bit Control Field + 32-bit CRC + 7 flush bits) of the four BW3 bursts (Figure 2). In this sample the values of the Packet Number fields are: 0,0,1,1: most likely, each TX Frame is sent twice to improve the reliability of the transfer (the receive station discards the duplicated packets). Correspondly, the values of the single Packet Byte Count fileds are 415 (110011111) and 346 (101011010): this means that LDL416 protocol is used and therefore the original datagram was splitted into two packets each of 416 and 347 bytes (the Packet Byte Count field contains the number of user bytes -1). 

Fig. 2 - LDL overhead bits

Datagram analysis
The original datagram can be retrieved by reshaping the bitstream in a 3392-bit period (ie (8 × 416) + 64),  isolating the four rows, removing either the duplicated packets and the 64 overhead bits: the resulting bitstream is shown in Figure 3.

Fig. 3 - the original 15-bit period datagram

As said, 188-220/D exactly describes the regular patterns which compose the datagram, particularly the COMSEC preamble field that consist of three components: the bit synchronization subfield (it may consists of a string of alternating ones and zeros), the Frame Synchronization subfield, and a Message Indicator (or Initialization Vector, IV) subfield (Figure 4).

Fig. 4 - traditional COMSEC transmission frame structure (MIL 188-220 App.D)

As per 188-220/D #D., frame sync subfield, and Message Indicator are encoded using Phi patterns, a method of redundantly encoding data bits :
a logical "1" data bit is encoded as a Phi(1) = 111101011001000
a logical "0" data bit is encoded as a Phi(0) = 000010100110111
A simple majority voting process may be performed at the receiver to decode the Phi-encoded patterns to their origlnal format. 
It's to notice that the Phi patterns are generated by the polynomial x^4+x+1 [initial state 1,1,1,1]: this could be misleading if you are looking for a suitable descrambler for the preamble.

I extracted the original datagrams from three STANAG-4538 transmissions heard on 6898 KHz, removed the initial (long) bit sync subfields and placed the bitstreams side by side for better visibility of the COMSEC Frame Sync and IV subfields (Figure 5).
Fig. 5 - COMSEC preambles

As you see the Frame Sync subfield is the same in the three datagrams, this subfield is 465 bits long and consists of 31 Phi-encoded bits (as per 188-220/D): 
01) 111101011001000 → 1
02) 111101011001000 → 1
03) 111101011001000 → 1 
29) 111101011001000 → 1
30) 111101011001000 → 1
31) 000010100110111 → 0 
As expected, the pattern resulting after Phi-decoding matches exactly the one reported in 188-220/D:
The Initialization Vector subfield, a stream of random bits, is redundantly encoded using Phi patterns and is 1305 bits long (87 Phi-encoded bits) in all the three datagrams:

The ecrypted data block follows the Initialization Vector subfield, the external crypto device is presumably KY-57 [4] or the more advanced KY-99.
The same frame structure, and the same subfields lengths, was found in
- SINCGARS transmissions heard on 33 MHz (low VHF, GFSK 16000 Baud) (Figure 6)
- SATCOM transmission heard on 261.5 MHz (UHF, FM 16000 Baud) [5]

Fig. 6 - frame structure of a SINCGARS transmission
i.e. just where do you expect to find it (V/UHF).
Conclusions are hard to draw from such observations: since the LDL packets transport whole 188-220/D frames "as is", STANAG-4538 appears to be used as a kind of "bridge or relay" between V/UHF and HF (Figure 7).
Fig. 7
It sounds quite weird and unusual but however this is what was on-air. What is it, then? 
Since this type of transmission occurred several times and for some days, I tend to exclude that it was an operator mistake or a malfunction of the equipment: both would have been noticed and perhaps fixed. Maybe some kind of tests? Anyway, I find it difficult to think that such a mix is possible by using a "traditional" setup. Indeed, I think that using a SCA-based Software Defined Radio a skilled operator could instantiate a 188-220/D + S4538 session, but... why? Using a such SDRs configuration would be possible outrun the transmission range of (VHF line-of-sight) SINCGARS, but honestly such a solution seems rather crude and impractical. Maybe it was just occasional needs to forward 188-220/D frames to a certain HF endpoint.

In conclusion, at present I don't have a clear explanation and comments will be greatly appreciated. For completeness, it should be added that in these days I have tried some sporadic monitoring but I have not been able to hear these transmissions anymore (at least on 6898 KHz).
A big thank to my friend KC9FFV Marco (Forney, TX USA) who allowed me to use his KiwiSDR beyond the 120 minute time limit [6].

1 October 2020

3G-ALE synchronous Fast Link Setup (FLSU) failures

Monitoring some US Army MARS frequencies such as 6910 KHz/USB, it happens to see 3G-ALE bursts pairs which are not the usual two-way LQA exchanges, as it happens in 2G-ALE (118-141A), but rather synchronous fast link setup (FLSU) failures: indeed, the bursts are sent by the same station, since the levels (5.64 and 5.28 dB).

Fig. 1
The scenario in figure 1 depicts the case in which an xDL ARQ protocol is unsuccessfully invoked via the original FLSU_Call. Quoting STANAG-4538 "Since the calling PU did not receive the FLSU_Confirm response, it must assume that the response did not propagate properly and that the called PU is prepared for the xDL packet transfer protocol. As such, the called PU is set up to receive either the first xDL forward packet PDU, or an xDL_Terminate PDU. Sending a FLSU_Terminate (ie a BW5 burst) would impose a triple demodulation requirement on the receiving PU! (1).
Thus, the calling PU must send up to “N” bursts carrying the xDL_EOM PDU to abort the ARQ protocol (under the xDL protocol specification, “N” is defined by the number of xDL_EOM PDUs that would fit within the time slot of a forward packet PDU)".

Fig. 2 - synchronous LSU failure scenario (from STANAG-4538 Ed.1)
In this sample PU1 (caller) issues a BW5 FLSU_Request to PU2 (called), requesting LDL ARQ traffic, but it does not detect any response from the called station. PU1 shall assume that PU2 issued a FLSU_Confirm but it's not received by PU1. Since PU2 must only look for at most two waveforms (1), it looks for the LDL Forward Packet waveform (BW3) and the LDL_EOM PDU (BW4).  Thus, in order to terminate the link due to missing the FLSU_Confirm, PU1 sends a LDL_EOM (BW4 PDU).
In that same frequency it's possible to hear also 2G-ALE [T-WAS] calls (figure 3), heard callsigns: 3QH, FHUCLR, NC6CLR, M19, STR,.... Who knows, perhaps they use 3G-ALE in that same way.

Fig. 3 - 3G-ALE FLSU (failed) followed by 2G-ALE call

(6910 KHz could be noised by US-based and Latin America-based freebanders/outbanders chatting in LSB)
(1)  STANAG-4538 #4.6.5 "Dual Demodulation": under no circumstances shall PUs be required to simultaneously demodulate more than two waveforms. Any scenario requiring more than dual-demodulation is either an error in the specification or an error in interpretation. The table below defines the dual-demodulation requirements:
STANAG-4538: TABLE 4.6.5-1 Dual Demodulation States

28 September 2020

S-4538/110A transmissions using (unid) 256-bit IV encryption

While monitoring the 6 MHz band looking for the 48KBd "monster", I ran into some STANAG-4538 "circuit mode service" transmissions on 6898 KHz/USB using the 110A Serial Tone in 2400bps/S mode as traffic waveform: likely US Military.  The bitstream after 110A removal (Figure 1) clearly shows the use of encrypted frames which are characterized by 256-bit length Initialization Vectors (IVs), the underlying data-link protocol is then blacked.

Fig. 1 - demodulated bitstream

The transmission frames structure (Figure 2) is very interesting and - in some way - it reminds the embedded COMSEC frame structure as per MIL-STD 188-110D App.D; in this case (the recorded samples) the COMSEC preamble should consist of five components:

a) 192-bit string of alternating ones and zeros (bit-sync/phasing?)

b) 226-bit sequence (frame sync?)

c) 8 x 256-bit (32 bytes) Initialization Vectors (a same IV is repeated eight times)

d) 350-bit string of alternating ones and zeros (bit-sync/phasing?)

e) 150-bit sequence (frame sync?)

Encrypted data block follows, ended by the 40-bit sequence: 0000010010110110010110100101101100100000 (probably acting as EOM).

Fig. 2 - transmission frame structure

Interestingly, the sequences b) and e) have a period length of 60 bits and each sequence may be descrambled by the polynomial x^3+x^2+x+1.

About the initialization vectors (Figure 3), it's to notice that a 16-bit segment (positions 113-128, as if they consist of two 128-bit blocks) has the same value in all the four vectors, but it could be just a mere coincidence and thus futher samples are needed.  Anyway, it's the first time I meet 256-bit length initialization vectors: since their size is as large as the block size of the chiper in use (or as large as the encryption key) it is probably a 256-bit encryption system. In this regard, I only know about "HC-256", a software stream cipher for embedded systems which generates keystream from a 256-bit secret key and a 256-bit initialization vector [1], but this is still speculative.
Since 110A was using a data rate of 2400 bps, the time needed to send a complete IV sequence (2048 bits long) is about 853 msec. 

Fig. 3 - four initialization vectors

Recordings were made thanks to KC9FFV Marco who run a KiwiSDR at Forney, TX USA [2].

[1] https://www.ecrypt.eu.org/stream/ciphers/hc256/hc256.pdf
[2] http://marcocam.selfip.com:8073/

21 September 2020

48 KBaud OQPSK unid wideband transmissions

This post originates from an email from my friend KE9NS Darrin who noticed  a strange transmission around 6.8 MHz with an occupied bandwidth of about 48 KHz. According to his reports, the signal seems to start somewhere between 0000 and 0100 UTC, likely ON until sun rise. Interestingly, the signal tends to move around the band slightly probably trying to find an open slot in the band. Indeed, some breaks were observed and Darrin just noted that when it shut down for a break there was a STANAG 4285 signal within its 48 KHz passband: it must have realized and moved to an open spot.
Darrin kindly sent me his IQ recordings for analysys since it's impossible for me to get such samples using remote KiwiSDRs.

The waveform has a speed of 48000 Baud and occupies a band of about 48 KHz: as shown in Figure 1, the spectrum width, equal to the manipulation speed and the presence of the third line in the 4th power, lead to think to the Offset QPSK (OQPSK) modulation.

Fig. 1
Although GMSK and OQPSK have a lot in common, some further clues in favor of OQPSK come from the phase plane (Figs. 2a, 2b): OQPSK looks like GMSK with BT < 0.25 (the lower the BT index, the more it's similar to OQPSK).

Fig. 2a - OQPSK phase plane

Fig. 2b - syntesized OQPSK signal
Similar results were obtained from the analysis of CIS-1280 waveform (Figure 3).
Fig. 3 - CIS-1280 OQPSK waveform

OQPSK is a constant-envelope modulation that has no 180-deg phase shifts and, therefore, has a much higher spectral containment than non-offset QPSK when transmitted over band-limited nonlinear channels. To further bandlimit an OQPSK signal, Shaped OQPSK (SOQPSK) was introduced and its initial version was referred to as MIL-STD SOQPSK after it was adopted as part of a military standard. 
Since OQPSK is like a GMSK with a small index, it is possible to do some demodulation attempts using the "FSK3 method" introduced by guys from radioscanner.ru [1]. In this regard, I also tried that FSK3 method by demodulating the 48 KBaud signal on three FSK levels (Figure 4) and then appropriately converting the ternary symbols through a small program written with Octave. It is difficult to establish the accuracy of the final bitstream, anyway the links to download the intermediate FSK3 file are below: everyone can try the demodulation by following the method described and post their comments and the obtained bitstreams.

Fig. 4 - FSK3 demodulation

Back to the 48 KBaud signal, it's always very strong, likely a very powerful transmitter. Quoting Darrin "Its a long shot but, the company that was supposedly trying to transmit stock trades via HF radio has a radio tower located in a town near to me. Supposedly they have a huge antenna array in Elburn, IL and transmit 20kw with an ERP of 808kw (very big stacked curtain log-periodic antennas) pointed 48deg and a special FCC license. It turns out, that antenna array is pointed directly towards my home in Bartlett, IL". We also thought of 188-110D App.D (per STANAG-5069) tests but such a waveform is not indicated.

https://yadi.sk/d/J76M1y-l-u42Sg (wav file) 
https://yadi.sk/d/_3o-UTVKEQpKNw (FSK3 demod)

[1] http://www.radioscanner.ru/forum/topic43183.html#msg865791

11 September 2020

110-220Bd/330 FSK, TMS-430/TC-535 (Swiss Army)

I56578, cryptomaster

This is the well-known Swiss Army 220Bd/330 FSK system consisting of the Telematik-Set 430 (TMS-430) [1] in combination with the cipher device TC-535 [2], the utilized HF transceiver is most likely the SE-430 [3]. This signal is commonly logged as "TMS-430", although TMS-430 is actually the DTE device, while the modem function is performed by TC-535 in conjunction wih SE-430.
These transmissions can be heard almost every day on 4495 KHz (CF) around 1800 UTC, a list of frequencies (apparently constant) at which this signal was noted is: 3502 4594 5182 and 5202 kHz; old logs also reports the 120Bd waveform. Recordings used in this analysis were made thanks to the Twente WebSDR and refer to the 4495 KHz channel. 
Looking carefully at the signal, it's possible to note short initial segments which are sent at the speed of 110Bd (Figure 1):
Fig. 1 - initial segment sent at 110Bd
This apparently oddity intrigued me and my friend cryptomaster and so we decided to study the demodulated streams in more detail. Since the TC-535 is directly connected to the HF transceiver, from the analysis of the stream it is possible to trace and verify the operating phases of the cipher. It's to be mentioned that, given the two speeds, the streams were obtained by demodulating the signal from time to time at 110 or 220 Baud depending on the bit segment that had to be studied; the demodulation speed used for a given figure is shown in its caption.
TC-535 Synchronization sequence (COMSEC preamble) consists of a PN (Pseudo Noise) sequence termed as "Synchronizing Template" sent at the speed of 220 Baud (Figure 2). In addition to synchronization, the PN sequence is also used for (encrypted) commands transmission.  Grouping the PN sequences into a single stream and analyzing it, turns out the presence of the polynomial x^7+x^3+1: likely this is just the 7-bit LFSR (indicated as C7 in the Control Unit circuit board) which generates the PN (pseudo noise) sequence.
Fig. 2 - the initial "sync template" sequence (demod speed: 220Bd)
The sync template is then followed by the  so-called "Additional Key" (AK): a time and key-dependent 64-bit block which is tree times repeated and sent in clear-text ASCII 8N2 at the speed of 110 Baud (Figure 3, in opposite polarity). The correct additional key information is obtained by majority decision from the three additional key blocks, which are identical under good transmission conditions, and mixed with the basic key to initialize the cipher generator at the receive TC-535 (thus the AK field may be termed as the Initialization Vector for TC-535).
Fig. 3 - the tree 64-bit Additional Key blocks (demod speed: 110Bd)

The sync phase (PN + AKs) is then followed by a 22-bit long alternating sequence of "0"s and "1"s  which separates AK blocks from encrypted data and allows the speed change to 220Bd (Figure 4).
Fig. 4 - 22-bit "01" sequence, also visible in Fig. 2, unless some bit in error (demod speed: 220Bd)

An optionally switchable FEC protection is built into the TC-535. If FEC is enabled, additional check bits are added to the data, which increase the data volume by a factor of 1.4 to 2.0 depending on the user code (Baudot/ASCII). In case of ASCII, the inserted check bits reduce the useful bit rate to half and consequently bit rate shall be increased by a factor of 2, thus the 220 Baud since the ASCII operational speed is 110 Baud. This clarifies the initial 110 Baud speed used to send the AK blocks (sent as async, clear-text, no FEC)! Note that the encrypted data are only transmitted in synchronous mode and returned asynchronously to the data sink.
The doubled data volume means that FEC encoder function is accomplished by a rate 1/2 convolutional coder (as indeed confirmed in [2], "Encryption method: Bitstream encryption"). Thus, the 220 Baud speed is a sign that FEC is activated and user data are ASCII coded. 
About the canche to trace a check matrix/polynomial in the streams, it should be noted that documentation says "The check bits are obtained from useful bits that have already been sent and added to the data to be sent before encryption", thus FEC encoding happens before the encryption process (!) and unfortunately there will be no interesting signs to look for in the streams. 
However, it can be noted that sometimes a single transmission carries more than one AK blocks (Figure 5), so we think that a single transmission may carry multiple messages/files, each preceded - most likely - by an appropriate an PN sequence.

Fig. 5 (demod speed: 220Bd)

TMS-430 (TelematikSet 430) consists of an NEMP-protected (protection against Nuclear ElectroMagnetic Pulses) device set in a large fiberglass box, consisting of: a notebook computer Toshiba 110CS, Pentium 100 MHz, VGA screen 11.3 inches, an Epson LX 300 matrix printer, two boot disks with DOS - based software.The (in the meantime no longer completely up-to-date) notebook is equipped with a hard drive, but is intended to be started from a boot floppy disk, if necessary any other commercially available IBM-compatible computer can be used. The messages to be transmitted can be recorded directly on the system, but usually a diskette is used to transfer the text message from the command post to the transmission office.
TC-535 (TeleCrypto 535) is more than "just" an encryption device since it also automatically controls the change of direction of the radio stations involved in the link. The most important features are the time and key-dependent initialization sequence, random filler text when in idle and the non-disruptive change of direction. The device is controlled via the TmS-430 keyboard.
As said, the utilized HF transceiver should be the SE-430. The complete communications system consists of a control unit (BE-430), usually connected to a encrypter, and a radioteletype machine. The signal is transferred over field telephone lines to the transmitter site, which can be installed at quite a long distance. The transmitter site equipment consists of the transmitter SE-430, it's power supply SG-430 and the automated antenna tuner AG-510/430.

Fig. 6 - TMS-430 (on the left) and TC-535 (source: Historisches Armeematerial Führungsunterstützung HAMFU)


28 August 2020

CIS Navy VLF 50Bd/75 FSK (T600 75Hz)

50Bd/75 FSK is the T600 waveform variant utilized by Russian Navy on 18.1 kHz, commonly for submarine communications.

Fig. 1 - 50Bd/75 waveform
As seen in CIS 36-50, frames are constructed from data blocks consisting of 7-bit words: a packet of payload data of basically arbitrary length is surrounded by a start and an end sequence (EOM). Sometimes blocks of data already transmitted are observed to be repeated, verifying the contents by the recipient can be performed easily this way. Idle sequences of reversals, i.e. strictly alternating sequences of "0"s and "1"s, of 36 Bd and 50 Bd are used to introduce and to terminate a transmission or also (50 Bd only) to separate data blocks.
A data block itself consists of three sections: start sequence, (encrypted) payload data, end of message (EOM) sequence; all payload data has a fixed ratio of '1's vs. '0's of 4 to 3 or vice versa, depending on polarity of reception (Figure 2). 

Fig. 2 - 4/3 ratio test on a five-message transmission (s1 and s2 data blocks are the same)
After a single "1" bit (following the last "01" reversal pair), the 28-bit (four-words) start sequence 1010111 1101011 0100000 1010000 is sent: the 4/3 ratio is not followed here to make the start sequence distinguishable from the actual data. Payload comes next; its first part are two equal words 0101101 0101101 followed by a repeated ten-word (7 bits each) group: likely the Message Indicator or the session key. All subsequent data (arbitrary length) do not obey a special regularity anymore. The end sequence shows five equal 7-bit words (5 x 0001000), again disregarding the 4/3 ratio of the data section (Figure 3).
Fig. 3 - structure of a data block

Multiple Russian military naval communication stations share this frequency (18.10 KHz) and the call sign "RDL".  The 24h transmission schedule has frequent flash-override messages in A1A Morse, FSK-Morse and T600 75 Hz, as shown in the lower image of Figure 1.

https://yadi.sk/d/0M7f_H_WOD9LTA (T600-75 bitstream)

22 August 2020

Swedish Navy submarine MSK multi-channel broadcast

(For background it might be helpful to read the relevant entries here)

Swedish Royal Navy (Swedish: Svenska marinen [1]) uses a broadcast function of STANAG-5030 (1) for communication with its subs in the Baltic Sea, the return channel is believed to be low-end HF. These LF broadcasts use the 200Bd/100 MSK waveform and can be heard on 40.4, 42.5, and 44.2 KHz (CF) by using  KiwiSDR receivers located in the island of Gotland which have a good SNR. [2].

All the three signals have the classic set of parameters for (G)MSK: a spectrum equal to 1.5*Br (300Hz), shift equal to Br/2 (100Hz), a characteristic bell-shaped appearance (Figure 1), and others such as 4-point constellation, transitions and real trajectories (Figure 2). Please note that the carrier in the fourth degree is very weakly expressed, sometimes it is practically invisible at all.

Fig. 1
Fig. 2
Using 200Bd MSK (a form of QPSK) it is possible to transmit two 100 Baud channels X and Y, each on a pair of phase, and each channel can consists of 2x50 Baud multiplexed channels. Thus, MSK can provide a TDM multi-channel broadcast of  up to 4x50 Baud X1 X2 Y1 Y2 channels within the 200Hz assigned band (MSK4).  Some aspects about the similarities bewteen QPSK and MSK are covered in radioscanner forum [3].

In conditions where no messages are available for transmission, the four channels are arranegd with two "empty channel filler" (ECF) patterns, probably generated automatically at the transmitter equipment:
- two channels share the same 15-bit pattern;
- a third channel uses a different 5-bit pattern;
- the fourth channel uses the same 5-bit pattern where one column is repalced by the bits of the pseuso-random sequence generated by the polynomial x^31+x^3+1.
An example of this "idle" mode is shown in Figure 4: here the m-sequence is sent in the Y2 channel (notice the same pattern sent in X1 X2 channels ).

Fig. 3
A more generalized scheme highlighting the position of the m-sequence channel in four different recordings is shown in Figure 4.

Fig. 4
 In case of messages, the four channels use a 5-bit format with different framings:  
- two channels share the same 5-bit framing, i.e 1-bit marker (pos/neg according the polarity) + 4-bit data:
- a third channel uses an unid (to me) framing;
- the fourth channel uses the same 5-bit framing of the first two channels but the marker column is replaced by the bits of the pseuso-random sequence generated by the polynomial x^31+x^3+1.
Figures 5a,5b show such arrangement.

Fig. 5a
Fig. 5b
Due to their strategic and tactical importance, subcomms require secure cryptographic protocols and this could explain the presence of the x^31+x^3+1 pseudo-ramdom sequence which is used to sync the receive KW-46/KIV-7 ciphers (other than to permit channel identification), although an encrypted 4-bit stream is rather unusual as well as the use of the 1+4 bits frames. 
In this regard, one might even think that the actual secured messages channel is Y before the TDM split (Figure 6), while the other channels X1 X2 transport not critical 4-bit coded data (WX forecast, sea conditions, ...). This way, messages could use 10-bit START-STOP code which is then encrypted using the KW-46/KIV-7 equipment. Encryption results in bits 2 to 10 being encrypted and bit 1 (START) being replaced with unencrypted bit defined by the polynomial x^31+x^3+1, or in reverse order - bits 1 to 9 encrypted and bit 10 (STOP) replaced (2). A second hypothesis - perhaps the most likely - is that each channel is encrypted with a specific cipher ...but these are just my speculations.

Fig. 6 (m-sequence columns are highlighted)

The results of TD0A geolocation indicate three probable transmitter sites that match fairly exactly with those indicated in a map presented by FMV (the Swedish Defence Materiel Administration) [4] at the March 2020 HFIA HF Industry Association [5] Meeting in San Diego, CA (Figure 7):
- 40.4 KHz: SAS/SRC Varberg
- 42.5 KHz: SAS2 Gudinge
- 44.2 KHz: SHR Ruda

Fig. 7

It must be taken into account that I can't record the (KiwiSDR) LF spectrum 24/7 so the results indicated above may be incomplete: further recordings are needed and possibly an update post will be published later. Hints and comments are welcome.

(1) STANAG-5030 is a restricted document so no information is publicy available. Moreover, the new STANAG-4724 "VLF/LF MSK Multi Channel Broadcast" is currently being ratified by NATO member states as next evolution:

(2) max success for x^31+x^3+1 in Y stream was found for a length frame of 10 bit; that same frame does not have parity bits (x^31+x^3+1 column excluded from the checksum)